Skip to content

cons.saver setgid paranoia: Don't open arbitrary file #4848

New issue
New issue
Open
Bug
#4857
Open
cons.saver setgid paranoia: Don't open arbitrary file#4848
Bug
#4857
Labels
area: ttyInteraction with the terminal, screen librariesprio: mediumHas the potential to affect progress
Milestone
Future Releases
@egmontkob

Description

@egmontkob
egmontkob
opened on Nov 1, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Midnight Commander version and build configuration

4.8.33, git

Operating system

Linux

Is this issue reproducible using the latest version of Midnight Commander?

  • I confirm the issue is still reproducible with the latest version of Midnight Commander

How to reproduce

Setgid cons.saver checks that the passed device name is at most 15 bytes and begins with /dev/, and then proceeds and opens it for reading.

This allows one to create a symlink /dev/../tmp/x pointing wherever, and get cons.saver open it for reading.

Of course cons.saver will immediately check if it's indeed a terminal device and quit otherwise. Still, I'm not happy this amount of slack in a setgid tool.

Let's check that the passed string strictly matches the pattern /dev/tty[0-9]+.

Or rather: Maybe just pass the plain number as parameter, and let cons.saver prepend /dev/tty and /dev/vcsa.

While at it, we could remove the devfs-specific code, devfs has been obsoleted and replaced by udev in Linux 2.6 or so.

Expected behavior

.

Actual behavior

.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: ttyInteraction with the terminal, screen librariesprio: mediumHas the potential to affect progress

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions